TACACS+ and Multiple Roles

We're using one TACACS+ server running on Ubuntu. In trying to integrate with the R80.10 SMS. On the SMS server, we've created two roles, TACP-0 (with Read/Write access to to the Authentication Servers and Firewall Management) and TACP-15 (with Read/Write access to everything). Our users can authenticate, but every authenticated user seems to default to the TACP-0 role, even with priv-lvl set to 15, instead of to the TACP-15 role. Is there anything we're missing out?

Re: TACACS+ and Multiple Roles

Yes that is default behavior. You'll always login as TACP-0 first and then you must call for advanced role rights by tacacs_enable TACP-15. It is written in SK mentioned by Danny Jung above. Quite unpleasant is that you'll need to reauthenticate second time.

Re: TACACS+ and Multiple Roles

Given that the default role for all TACCS users is TACP-0 it seems that R/W access to the "tacacs_enable" command must exist on the TACP-0 role for the R/W users to be able to use it to escalate to TACP-15 but then this allows RO users to also use it.

How do you limit RO users so they do not have the ability to escalate their privileges using tacacs_enable TACP-15 whilst allowing R/W users to do so?